diff --git a/awx/settings/__init__.py b/awx/settings/__init__.py
index 2332863d7b..78afed70bd 100644
--- a/awx/settings/__init__.py
+++ b/awx/settings/__init__.py
@@ -63,6 +63,15 @@ assert_production_settings(DYNACONF, settings_dir, settings_file_path)
 # Load envvars at the end to allow them to override everything loaded so far
 load_envvars(DYNACONF)
 
+# When deployed as part of AAP (RESOURCE_SERVER__URL is set), enforce JWT-only
+# authentication. This ensures all requests go through the gateway and prevents
+# direct API access to Controller bypassing the platform's authentication.
+if DYNACONF.get('RESOURCE_SERVER__URL', None):
+    DYNACONF.set(
+        "REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES",
+        ['ansible_base.jwt_consumer.awx.auth.AwxJWTAuthentication'],
+    )
+
 # This must run after all custom settings are loaded
 DYNACONF.update(
     merge_application_name(DYNACONF),